Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.0 to 4.4.1 in /terraform/environments/oas #9030

dependabot · 2024-12-10T00:29:10Z

Bumps bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.0 to 4.4.1.

Release notes

Sourced from bastion_linux::modernisation-platform-terraform-bastion-linux's releases.

v4.4.1

What's Fixed

The original behaviour of the bastion_security_group output has been reinstated. It will once again output the id of the "aws_security_group" "bastion_linux" { ... } resource.

The updated output is still available through the bastion_security_group_map output.

What's Changed

Bump bridgecrewio/checkov-action from 12.2879.0 to 12.2882.0 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#575

Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#574

Bump ministryofjustice/github-actions from 18.2.4 to 18.3.1 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#576

Bump bridgecrewio/checkov-action from 12.2882.0 to 12.2883.0 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#577

Reinstated original behaviour of security group output by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#579

Bump bridgecrewio/checkov-action from 12.2883.0 to 12.2884.0 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#578

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.4.0...v4.4.1

v4.4.0

What's Changed

All module resources use name_prefix instead of name to ensure uniqueness where possible.

The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

Bump bridgecrewio/checkov-action from 12.2877.0 to 12.2879.0 by @dependabot in ministryofjustice/modernisation-platform-terraform-bastion-linux#573

Ensure uniqueness in naming by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#572

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.1...v4.4.0

v4.3.1

What's Fixed

The AWS KMS key used to encrypt the S3 bucket that holds ssh keys is now created with name_prefix instead of name to ensure uniqueness.

The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

Add alias for MP S3 KMS key by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#566

Refactor unit tests by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#569

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.0...v4.3.1

v4.3.0

What's New

Launch templates will now resolve the SSM Parameter for amzn2-ami-hvm-x86_64-gp2 and resolve the latest version when creating instances. You can read the AWS documentation on using parameter resolution in templates here.

What's Changed

A lot of dependabot version bumps

Feature/trivy by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#413

updated README.md and unit test name by @Khatraf in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

add tfsec exception to fix static-analysis check failure by @robertsweetman in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Adds the redact of sensitive data items from test workflow output. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#465

Fixes unredacted data values in workflow log. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#473

... (truncated)

Commits

dfed655 Merge pull request #578 from ministryofjustice/dependabot/github_actions/brid...
0f9f6a7 Bump bridgecrewio/checkov-action from 12.2883.0 to 12.2884.0
629382d Merge pull request #579 from ministryofjustice/fix/reinstate-old-output
d24e7f7 terraform-docs: automated action
498e46b reinstated original behaviour of security group output, and moved new functio...
c95588b Merge pull request #577 from ministryofjustice/dependabot/github_actions/brid...
5d37e86 Bump bridgecrewio/checkov-action from 12.2882.0 to 12.2883.0
948bb8a Merge pull request #576 from ministryofjustice/dependabot/github_actions/mini...
86f2b4b Bump ministryofjustice/github-actions from 18.2.4 to 18.3.1
2137b50 Merge pull request #574 from ministryofjustice/dependabot/github_actions/aqua...
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [bastion_linux::modernisation-platform-terraform-bastion-linux](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux) from 4.2.0 to 4.4.1. - [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux/releases) - [Commits](ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.0...v4.4.1) --- updated-dependencies: - dependency-name: bastion_linux::github::ministryofjustice/modernisation-platform-terraform-bastion-linux::v4.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2024-12-10T00:31:29Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/oas

Running Trivy in terraform/environments/oas
2024-12-10T00:31:18Z INFO [vulndb] Need to update DB
2024-12-10T00:31:18Z INFO [vulndb] Downloading vulnerability DB...
2024-12-10T00:31:18Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-10T00:31:21Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-10T00:31:21Z INFO [vuln] Vulnerability scanning is enabled
2024-12-10T00:31:21Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-10T00:31:21Z INFO [misconfig] Need to update the built-in checks
2024-12-10T00:31:21Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-10T00:31:22Z INFO [secret] Secret scanning is enabled
2024-12-10T00:31:22Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-10T00:31:22Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-10T00:31:23Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-10T00:31:23Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00027d2b1?}}, {0x0?, 0x0?}})
/home/runner/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc00c49ee00, 0xc00691efc0)
/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc00c49ee00)
/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc007f89900)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc007f89900)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc007f89900)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc007f89900, {0x58f3078, 0xc001c6c1e0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc007c9b400, {0x58f3078, 0xc001c6c1e0}, 0xc006e0d140)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc007c9b400, {0x58f3078, 0xc001c6c1e0}, 0xc00c9aed50)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc007c9b400, {0x58f3078, 0xc001c6c1e0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc007d71e00, {0x58f3078, 0xc001c6c1e0}, 0xc00c87f740)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc007d71e00, {0x58f3078, 0xc001c6c1e0}, 0xc00c002030)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc007d71e00, {0x58f3078, 0xc001c6c1e0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc00bbbea20, {0x58f3078, 0xc001c6c1e0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc0012dcab0, {0x58f3078, 0xc001c6c1e0}, {0x58b12c0, 0xc0037fbda0}, {0x58959e8, 0x1})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc0012d0b00, {0x58f3120, 0xc0007ac2a0}, {0x58b12c0, 0xc0011ebc20})
/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc000365900, {0x58f3120?, 0xc0007ac2a0?}, {{0x58b12c0?, 0xc0011ebc20?}, {0x9?, 0x0?}})
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc00145ce50, {0xc00078d000, 0x1f, 0x20}, {0xc000526a00, 0x16, 0x20}, 0xc0010a3140, {0x47ad91d, 0x7}}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffc9b06fac5, 0x2c}, {0x7fa1b4144120, 0xc001118100}, {0x58b11e0, 0x827fc80}, {0xc00145ce50, {0xc00078d000, 0x1f, 0x20}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{, }, {, }}, {, }, {{0xc000e67e60, 0x2, 0x2}, {0xc001107a00, ...}, ...})
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(, {_, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc0003f7ec0, ...}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc000823b08, {0xc000a1a000, 0x1, 0xa})
/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc000823b08, {0xc000b39e00, 0xa, 0xa})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc000823208)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1041 +0x13
main.run()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/oas

*****************************

Running Checkov in terraform/environments/oas
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-10 00:31:27,116 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.1:None (for external modules, the --download-external-modules flag is required)
2024-12-10 00:31:27,116 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 93, Failed checks: 39, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.default_oas
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "default_oas" {
		2 |   name = "${local.application_name}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /cloudwatch.tf:102-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "pagerduty_core_alerts" {
		103 |   depends_on = [
		104 |     module.cwalarm
		105 |   ]
		106 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		107 |   sns_topics                = [local.sns_topic_name]
		108 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		109 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oas_app_instance
	File: /ec2.tf:16-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		16 | resource "aws_instance" "oas_app_instance" {
		17 |   ami = local.application_data.accounts[local.environment].ec2amiid
		18 |   # associate_public_ip_address = false
		19 |   availability_zone = "eu-west-2a"
		20 |   ebs_optimized     = true
		21 |   instance_type     = local.application_data.accounts[local.environment].ec2instancetype
		22 |   # vpc_security_group_ids      = [aws_security_group.ec2.id]
		23 |   monitoring = true
		24 |   # subnet_id                   = data.aws_subnet.private_subnets_a.id
		25 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		26 |   user_data_replace_on_change = true
		27 |   user_data                   = base64encode(data.local_file.userdata.content)
		28 | 
		29 | 
		30 | 
		31 |   network_interface {
		32 |     network_interface_id = aws_network_interface.oas_eni.id
		33 |     device_index         = 0
		34 |   }
		35 | 
		36 |   root_block_device {
		37 |     delete_on_termination = false
		38 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		39 |     volume_size           = 40
		40 |     volume_type           = "gp2"
		41 |     tags = merge(
		42 |       local.tags,
		43 |       { "Name" = "${local.application_name}-root-volume" },
		44 |     )
		45 |   }
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "${local.application_name} Apps Server" },
		50 |     { "instance-scheduling" = "skip-scheduling" },
		51 |     { "snapshot-with-daily-7-day-retention" = "yes" }
		52 |   )
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:273-313
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		273 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		274 |   #tfsec:ignore:aws-iam-no-policy-wildcards
		275 |   name = "${local.application_name}-ec2-policy"
		276 |   role = aws_iam_role.ec2_instance_role.id
		277 | 
		278 |   # Terraform's "jsonencode" function converts a
		279 |   # Terraform expression result to valid JSON syntax.
		280 |   policy = jsonencode({
		281 |     Version = "2012-10-17"
		282 |     Statement = [
		283 |       {
		284 |         Action = [
		285 |           "ec2:Describe*",
		286 |         ]
		287 |         Effect   = "Allow"
		288 |         Resource = "*"
		289 |       },
		290 |       {
		291 |         Effect = "Allow",
		292 |         Action = [
		293 |           "s3:ListBucket",
		294 |         ],
		295 |         Resource = [
		296 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001",
		297 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		298 |         ]
		299 |       },
		300 |       {
		301 |         Effect = "Allow",
		302 |         Action = [
		303 |           "s3:GetObject",
		304 |           "s3:PutObject",
		305 |           "s3:PutObjectAcl",
		306 |         ],
		307 |         Resource = [
		308 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		309 |         ]
		310 |       }
		311 |     ]
		312 |   })
		313 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.cwalarm.aws_sns_topic.alerting_topic
	File: /modules/cloudwatch/cloudwatch.tf:38-40
	Calling File: /cloudwatch.tf:94-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		38 | resource "aws_sns_topic" "alerting_topic" {
		39 |   name = var.snsTopicName
		40 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
	FAILED for resource: aws_lambda_permission.allow_secret_manager
	File: /modules/rotate_secrets_lambda/main.tf:117-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

		117 | resource "aws_lambda_permission" "allow_secret_manager" {
		118 |   action        = "lambda:InvokeFunction"
		119 |   function_name = aws_lambda_function.rotate_secrets.function_name
		120 |   principal     = "secretsmanager.amazonaws.com"
		121 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rotate_secrets_lambda
	File: /modules/rotate_secrets_lambda/main.tf:123-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		123 | resource "aws_cloudwatch_log_group" "rotate_secrets_lambda" {
		124 |   name              = aws_lambda_function.rotate_secrets.function_name
		125 |   retention_in_days = var.log_group_retention_days
		126 |   lifecycle {
		127 |     prevent_destroy = true
		128 |   }
		129 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeORAHOME
	File: /ec2.tf:315-331
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		315 | resource "aws_ebs_volume" "EC2ServerVolumeORAHOME" {
		316 |   availability_zone = "eu-west-2a"
		317 |   size              = local.application_data.accounts[local.environment].orahomesize
		318 |   type              = "gp3"
		319 |   encrypted         = true
		320 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		321 |   snapshot_id       = local.application_data.accounts[local.environment].orahome_snapshot
		322 | 
		323 |   lifecycle {
		324 |     ignore_changes = [kms_key_id]
		325 |   }
		326 | 
		327 |   tags = merge(
		328 |     local.tags,
		329 |     { "Name" = "${local.application_name}-EC2ServerVolumeORAHOME" },
		330 |   )
		331 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeSTAGE
	File: /ec2.tf:339-355
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		339 | resource "aws_ebs_volume" "EC2ServerVolumeSTAGE" {
		340 |   availability_zone = "eu-west-2a"
		341 |   size              = local.application_data.accounts[local.environment].stageesize
		342 |   type              = "gp3"
		343 |   encrypted         = true
		344 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		345 |   snapshot_id       = local.application_data.accounts[local.environment].stage_snapshot
		346 | 
		347 |   lifecycle {
		348 |     ignore_changes = [kms_key_id]
		349 |   }
		350 | 
		351 |   tags = merge(
		352 |     local.tags,
		353 |     { "Name" = "${local.application_name}-EC2ServerVolumeSTAGE" },
		354 |   )
		355 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/oas

*****************************

Running tflint in terraform/environments/oas
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/ec2.tf line 1:
   1: data "local_file" "userdata" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/weblogic.tf line 1:
   1: resource "random_password" "weblogic" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/oas

*****************************

Running Trivy in terraform/environments/oas
2024-12-10T00:31:18Z	INFO	[vulndb] Need to update DB
2024-12-10T00:31:18Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-10T00:31:18Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-10T00:31:21Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-10T00:31:21Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-10T00:31:21Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-10T00:31:21Z	INFO	[misconfig] Need to update the built-in checks
2024-12-10T00:31:21Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-10T00:31:22Z	INFO	[secret] Secret scanning is enabled
2024-12-10T00:31:22Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-10T00:31:22Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-10T00:31:23Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-10T00:31:23Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00027d2b1?}}, {0x0?, 0x0?}})
	/home/runner/go/pkg/mod/github.com/zclconf/go-cty@v1.15.0/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc00c49ee00, 0xc00691efc0)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc00c49ee00)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc007f89900)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc007f89900)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc007f89900)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc007f89900, {0x58f3078, 0xc001c6c1e0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc007c9b400, {0x58f3078, 0xc001c6c1e0}, 0xc006e0d140)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc007c9b400, {0x58f3078, 0xc001c6c1e0}, 0xc00c9aed50)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc007c9b400, {0x58f3078, 0xc001c6c1e0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc007d71e00, {0x58f3078, 0xc001c6c1e0}, 0xc00c87f740)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc007d71e00, {0x58f3078, 0xc001c6c1e0}, 0xc00c002030)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc007d71e00, {0x58f3078, 0xc001c6c1e0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc00bbbea20, {0x58f3078, 0xc001c6c1e0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc0012dcab0, {0x58f3078, 0xc001c6c1e0}, {0x58b12c0, 0xc0037fbda0}, {0x58959e8, 0x1})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc0012d0b00, {0x58f3120, 0xc0007ac2a0}, {0x58b12c0, 0xc0011ebc20})
	/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc000365900, {0x58f3120?, 0xc0007ac2a0?}, {{0x58b12c0?, 0xc0011ebc20?}, {0x9?, 0x0?}})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc00145ce50, {0xc00078d000, 0x1f, 0x20}, {0xc000526a00, 0x16, 0x20}, 0xc0010a3140, {0x47ad91d, 0x7}}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffc9b06fac5, 0x2c}, {0x7fa1b4144120, 0xc001118100}, {0x58b11e0, 0x827fc80}, {0xc00145ce50, {0xc00078d000, 0x1f, 0x20}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc000e67e60, 0x2, 0x2}, {0xc001107a00, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc0003f7ec0, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc000823b08, {0xc000a1a000, 0x1, 0xa})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc000823b08, {0xc000b39e00, 0xa, 0xa})
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc000823208)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1041 +0x13
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

dependabot bot requested a review from a team as a code owner December 10, 2024 00:29

dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels Dec 10, 2024

dependabot bot requested review from a team as code owners December 10, 2024 00:29

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 10, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.0 to 4.4.1 in /terraform/environments/oas #9030

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.0 to 4.4.1 in /terraform/environments/oas #9030

dependabot bot commented on behalf of github Dec 10, 2024

github-actions bot commented Dec 10, 2024

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.0 to 4.4.1 in /terraform/environments/oas #9030

Are you sure you want to change the base?

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.0 to 4.4.1 in /terraform/environments/oas #9030

Conversation

dependabot bot commented on behalf of github Dec 10, 2024

v4.4.1

What's Fixed

What's Changed

v4.4.0

What's Changed

What's Changed

v4.3.1

What's Fixed

What's Changed

v4.3.0

What's New

What's Changed

github-actions bot commented Dec 10, 2024

Trivy Scan Failed

CTFLint Scan Failed

Trivy Scan Failed

`Trivy Scan` Failed

`CTFLint Scan` Failed

`Trivy Scan` Failed